生成加密安全令牌 [英] Generating cryptographically secure tokens

问题描述

为了生成一个32个字符的令牌来访问我们的API，我们目前使用:

In order to generate a 32 character token for access to our API we currently use:

$token = md5(uniqid(mt_rand(), true));

我已经了解到，此方法基于系统时钟，因此不是加密安全的方法，并且openssl_random_pseudo_bytes将是更好的解决方案，因为它更难预测.

I have read that this method is not cryptographically secure as it's based on the system clock, and that openssl_random_pseudo_bytes would be a better solution as it would be harder to predict.

如果是这种情况，等效代码是什么样的?

If this is the case, what would the equivalent code look like?

我猜是这样的，但是我不知道这是对的...

I presume something like this, but I don't know if this is right...

$token = md5(openssl_random_pseudo_bytes(32));

我应该传递给函数的长度是多少?

Also what length makes sense that I should pass to the function?

推荐答案

这是正确的解决方案:

$token = bin2hex(openssl_random_pseudo_bytes(16));

# or in php7
$token = bin2hex(random_bytes(16));

这篇关于生成加密安全令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！